053cc9534d
[2.2.x] Fixed CVE-2021-33203 -- Fixed potential path-traversal via admindocs' TemplateDetailView.
2021-06-02 10:26:22 +02:00
6229d8794f
[2.2.x] Confirmed release date for Django 2.2.24.
...
Backport of f66ae7a2d5
2021-06-02 10:23:20 +02:00
f163ad5c63
[2.2.x] Added stub release notes and date for Django 2.2.24.
...
Backport of b46dbd4e3e
2021-05-26 10:21:53 +02:00
bed1755bc5
[2.2.x] Changed IRC references to Libera.Chat.
...
Backport of 66491f08fe
2021-05-20 12:42:48 +02:00
63f0d7a0f6
[2.2.x] Refs #32718 -- Fixed file_storage.test_generate_filename and model_fields.test_filefield tests on Python 3.5.
2021-05-14 06:59:11 +02:00
5fe4970bd0
[2.2.x] Post-release version bump.
2021-05-13 09:22:34 +02:00
61f814f9fa
[2.2.x] Bumped version for 2.2.23 release.
2021-05-13 09:19:56 +02:00
b8ecb06436
[2.2.x] Fixed #32718 -- Relaxed file name validation in FileField.
...
- Validate filename returned by FileField.upload_to() not a filename
passed to the FileField.generate_filename() (upload_to() may
completely ignored passed filename).
- Allow relative paths (without dot segments) in the generated filename.
Thanks to Jakub Kleň for the report and review.
Thanks to all folks for checking this patch on existing projects.
Thanks Florian Apolloner and Markus Holtermann for the discussion and
implementation idea.
Regression in 0b79eb3691b55699968f
2021-05-13 09:00:25 +02:00
3ba089ac7e
[2.2.x] Refs #32718 -- Corrected CVE-2021-31542 release notes.
...
Backport of d1f1417cae
2021-05-12 10:44:25 +02:00
88d9b28c0c
[2.2.x] Added CVE-2021-32052 to security archive.
...
Backport of efebcc429f
2021-05-06 10:05:46 +02:00
7ada1f90c6
[2.2.x] Post-release version bump.
2021-05-06 09:10:34 +02:00
df9fd4661e
[2.2.x] Bumped version for 2.2.22 release.
2021-05-06 09:08:28 +02:00
d9594c4ea5
[2.2.x] Fixed #32713 , Fixed CVE-2021-32052 -- Prevented newlines and tabs from being accepted in URLValidator on Python 3.9.5+.
...
In Python 3.9.5+ urllib.parse() automatically removes ASCII newlines
and tabs from URLs [1, 2]. Unfortunately it created an issue in
the URLValidator. URLValidator uses urllib.urlsplit() and
urllib.urlunsplit() for creating a URL variant with Punycode which no
longer contains newlines and tabs in Python 3.9.5+. As a consequence,
the regular expression matched the URL (without unsafe characters) and
the source value (with unsafe characters) was considered valid.
[1] https://bugs.python.org/issue43882 and
[2] 76cd81d603e1e81aa1c4
2021-05-06 08:53:27 +02:00
163700388c
[2.2.x] Refs CVE-2021-31542 -- Skipped mock AWS storage test on Windows.
...
The validate_file_name() sanitation introduced in
0b79eb3691914c72be2aa708f39ce6
2021-05-06 07:44:15 +02:00
bcafd9ba84
[2.2.x] Added CVE-2021-31542 to security archive.
...
Backport of 607ebbfba962b2e8b37e
2021-05-04 11:14:17 +02:00
3931dc7651
[2.2.x] Post-release version bump.
2021-05-04 10:24:07 +02:00
ff1385ae45
[2.2.x] Bumped version for 2.2.21 release.
2021-05-04 10:18:53 +02:00
04ac1624bd
[2.2.x] Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads.
2021-04-27 19:10:08 +02:00
7f1b088ab4
[2.2.x] Added CVE-2021-28658 to security archive.
...
Backport of 1eac8468cb
2021-04-06 09:48:05 +02:00
e95fbb6a76
[2.2.x] Post-release version bump.
2021-04-06 08:45:22 +02:00
ad9fa56a17
[2.2.x] Bumped version for 2.2.20 release.
2021-04-06 08:39:37 +02:00
4036d62bda
[2.2.x] Fixed CVE-2021-28658 -- Fixed potential directory-traversal via uploaded files.
...
Thanks Claude Paroz for the initial patch.
Thanks Dennis Brinkrolf for the report.
Backport of d4d800ca1a
2021-04-06 08:38:19 +02:00
6e58828f8b
[2.2.x] Added CVE-2021-23336 to security archive.
...
Backport of ab58f07250
2021-02-19 11:07:56 +01:00
1fb4628a83
[2.2.x] Post-release version bump.
2021-02-19 09:45:49 +01:00
21a5547793
[2.2.x] Bumped version for 2.2.19 release.
2021-02-19 09:44:55 +01:00
fd6b6afd59
[2.2.x] Fixed CVE-2021-23336 -- Fixed web cache poisoning via django.utils.http.limited_parse_qsl().
2021-02-18 10:27:25 +01:00
226d831918
[2.2.x] Added documentation extlink for bugs.python.org.
...
Backport of d02d60eb0f
2021-02-17 14:28:05 +01:00
34010d8ffa
[2.2.x] Added CVE-2021-3281 to security archive.
...
Backport of f749148d62
2021-02-01 10:47:08 +01:00
06ae7e0742
[2.2.x] Post-release version bump.
2021-02-01 09:49:28 +01:00
fc0c8cfa49
[2.2.x] Bumped version for 2.2.18 release.
2021-02-01 09:43:16 +01:00
21e7622dec
[2.2.x] Fixed CVE-2021-3281 -- Fixed potential directory-traversal via archive.extract().
...
Thanks Florian Apolloner, Shai Berger, and Simon Charette for reviews.
Thanks Wang Baohua for the report.
Backport of 05413afa8c
2021-02-01 09:14:54 +01:00
ee9d623831
[2.2.x] Fixed GeoIPTest.test04_city() failure with the latest GeoIP2 database.
...
Backport of 135c800fe6
2021-01-29 11:03:59 +01:00
e8e28e747f
[2.2.x] Updated CVE URL.
...
Backport of 656b331b13
2021-01-02 12:51:06 +01:00
e893c0ad8b
[2.2.x] Fixed #31850 -- Fixed BasicExtractorTests.test_extraction_warning with xgettext 0.21+.
...
"format string with unnamed arguments cannot be properly localized"
warning is not raised in xgettext 0.21+.
This patch uses a message that causes an xgettext warning regardless of
the version.
Backport of 07a30f5616
2020-11-02 10:30:40 +01:00
3da29a30c6
[2.2.x] Post-release version bump.
2020-11-02 08:55:25 +01:00
c769f65c98
[2.2.x] Bumped version for 2.2.17 release.
2020-11-02 08:49:01 +01:00
3db9a7aa8b
[2.2.x] Set release date for 2.2.17.
...
Backport of 7fc07b9b2b
2020-11-02 08:39:12 +01:00
b4b8ca4895
[2.2.x] Refs #31040 -- Doc'd Python 3.9 compatibility.
...
Backport of e18156b6c3
2020-10-13 08:45:37 +02:00
01742aa932
[2.2.x] Refs #31040 -- Fixed Python PendingDeprecationWarning in select_for_update.tests.
...
Backport of 0dd2308cf6
2020-10-12 12:21:33 +02:00
87b9a8b4de
[2.2.x] Refs #31040 -- Fixed crypt.crypt() call in test_hashers.py.
...
An empty string is invalid salt in Python 3 and raises exception since
Python 3.9, see https://bugs.python.org/issue38402 .
Backport of 1960d55f8b
2020-10-07 09:16:58 +02:00
657fea55cb
[2.2.x] Skipped GetImageDimensionsTests.test_webp when WEBP is not installed.
...
Bumped minimum Pillow version to 4.2.0 in test requirements.
Backport of fce389af7c
2020-10-06 11:32:34 +02:00
0f6e73e567
[2.2.x] Added CVE-2020-24583 & CVE-2020-24584 to security archive.
...
Backport of d5b526bf78
2020-09-01 11:39:59 +02:00
65078cf060
[2.2.x] Added CVE-2020-13254 and CVE-2020-13596 to security archive.
...
Backport of 54975780ee
2020-09-01 11:39:57 +02:00
0696540e23
[2.2.x] Post-release version bump.
2020-09-01 10:43:21 +02:00
bf07047f45
[2.2.x] Bumped version for 2.2.16 release.
2020-09-01 10:30:56 +02:00
dfcecb6e6c
[2.2.x] Added release date for 2.2.16.
...
Backport of 976e2b7420
2020-09-01 10:00:28 +02:00
a3aebfdc81
[2.2.x] Fixed CVE-2020-24584 -- Fixed permission escalation in intermediate-level directories of the file system cache on Python 3.7+.
...
Backport of f56b57976133129b0b351a38bba4ac882badabf0 from master.
2020-08-25 11:09:40 +02:00
375657a71c
[2.2.x] Fixed CVE-2020-24583, #31921 -- Fixed permissions on intermediate-level static and storage directories on Python 3.7+.
...
Thanks WhiteSage for the report.
Backport of ea0febbba531a3ecc8c77b570efbfb68ca7155db from master.
2020-08-25 10:59:42 +02:00
dc39e62e6b
[2.2.x] Refs #31863 -- Added release notes for 94ea79be13.
...
Backport of 21768a99f4
2020-08-13 16:32:58 +02:00
0a7d321bf7
[2.2.x] Fixed #31863 -- Prevented mutating model state by copies of model instances.
...
Regression in bfb746f98394ea79be13
2020-08-13 15:28:21 +02:00
Florian Apolloner
Carlton Gibson
Mariusz Felisiak
Nick Pope
Tim Graham
Max Smolens
Jon Dufresne
Gert Burger